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(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a memory management 
technique for avoiding stack smashing attack. 

SOLUTION: When securing a local variable storing area LV for a stack 
of a subroutine, the size of the local variable storing area LV is 
determined randomly in a range larger than the required size for storing 
all local variables declared, in a source program of the subroutine. Thus, 
because it is impossible to precisely anticipate the relative position of a 
return address storing area RA, in a stack frame from the source code 
or the like, it becomes very difficult to rewrite the return address with 
a destination address (the start address of the malicious program code) 
by the stack-smashing attack. 
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void fwO 1 
char tiuff«r[12$]; 
»tri>py{i)uff«r.frt«ivrHIV_»Iin: 
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128byte 
Jfftr)! 



PFP: U- A*-f >* 



I5«© ^ =E 'J ^a:*Jt ic J: o T > =E 'J ±icti- > 



[00 0 1 ] 

> yiAS ic d; y SSCD fe -5 □ y 7 A ^ Hfr $ ;K -5 i: l^ 
[0 0 0 2] 

[«e*fl)S«] 'f>^'-*«y h0l6^(cffL\ Mig©fe 

WWW-t^-M\ FTP-9— /N*) (CM LTX^i -yi; 
j^V>vi/l/>/iji5i (Stack Smashing Attack) tmth 
i)iAS^ttgKt, a.— tfcD I DRW^x'y- K^iS^■e 

roa > t°i— S< 'v(7)?jtSfl)8g^^lc Lfc y f -5 i: d 

[0 0 0 3] 7.^<y^7X7<v>»<f?fe»-c?ii. -y-^^u- 
5^ xoi^ff BSJtroMcfijffl $ X ^7 y ^ y 

if-eisa $ tLfc ^ P y ^ A ^^JiJ . X ^! -i; X W V > 
^lA^lOJiaizolNTIl 2&u:il 3 ^#fi§ L^fTb^b^m 

[0004] H 2 (C V-X =1 - KT:-:g^ L fcKitf ooli. 
««lSia"ENV_STR"|z^&Jft$*ifcfit (S:=»:5IJ) ^CW^ 
OiSim^^ZfJ y Mia"getenv''T'ISf| *<Z)iE^|5| i: 



[0 0 0 5] iiiSfoo$ii¥t;ai-rt#, ^^p^^ai*. f 
v'pyo-Atmtti^) $x^->'?±[c5iffi-r^o X 

^ 7 u-Aicii;:);(DJ; a^ctff5^5tffi-r^fc4ft<DfI 

■ MSfcfoo(z;S$;h,S?Iil (Parameters : PARAMS) » 

• mmfoo^WUlHLtzmm^O'J^-lyT FUX (Ret 
urn Address : RA) » 

■ miSfoo^iffr/ajfMO^U-ATH'O^o C(D7K-< 
>^^*B^ffl^TMiHfF7U-A/-H'f >^5! (Previous Fra 
me Pointer : PFP) t^.y-o 

■mmfooi^j^^-ammt^^m^m (Local VariabI 
e:LV) o 

[0 0 0 6] x^ <v<7icd:^-b-:?;u-^i/tJiT'[ix^ 
'>'j77K'r>^ (Stack Pointer : SP) ii^b-A/H-O 
^ (Frame Pointer : FP) *<fflLvC,*iS„ H»fooA<SiJ© 
Mlg^barA^e,llT^;aj$^^,4^i^^^5l](z, ±|H7K'r>^fl) 

ai L (C# o TX ^ ^ A^pJ =E y ©±^7 K bX A^ P, Tfe 
7 KUXlClSlltTJlg:^-^^*,©^:-^^, 
[0 0 0 7] fooA<lifU:tfl$tl^fl. X^>v>7 7K-l'>'j!S 
P(ibar0X^ -y^^U-AroKTliT KUX^flL. 7 
U-A^K'T V'JiFPfibarrofj^ U-A/K-f V'JJ^IltOT 
KL/X^flLTLN^o Z(D^m-t:lt. 7b-A7^V>^ 
FP0Ji-r7 KUXj;y 1 -DTikCOT K^X;!)^bX^•;/^7 
7K-f >^tSP(Dffi-rTKUX*-C'a)ffiJ|KA<, barroSPif^ 

[0 0 0 8] fooifinUtii^ix^t. *-rx5i-v^lzfoo 
(7??lfjfIJ|?ParamsA^5tffi$tl. ^^(c?i|i[A<^S$fl^Ftl 

-Mz^ 'J'S'->7KUX$|l|SRAA^?t«$tL, ^-CIC 
bar-vCDy-J(->7 KUXA<|&|(j$ti§o 'Alz^ fj7U 
-A/K'1'>'J'M«PFPA<5t<S$n. ^Clz^roafjiSlzfc 
lt^7U-A;K'r>^<FProffl (barroHfr7U-A7K^> 
^ffiSPFP(DTKUX) A^*&ffl$ti-5ii*lc, 7 b- 

atK-t i/mzitfooomy u-atk^t ^^r^JusPFPror 

KbXA^^&^flStti,, S^lz, foo(D^R|fiESfe*&5lfiffiJSL 
VA<5l«$*lS„ JECfc\ X^-v^'^t^-O^'SPICli. ±fB 

(oj^vizmztjimmiim^^^^mz^ ^(ommomT 

{47KbX*<ft«|)i$tt§ (o^y. SP[i^|cx^>y-?^ 
«:(D«Ti4T KUX-r^i:t:)*.X^-y^ F-'>7'"^mLTL> 
■5) „ Jil±ro=fc^?d:«aS(DilS^, ^b-A^K-O^FPcD 
fi-TTKbXcfcy 1-OT{4G)7KbXANbX^->^7;K-f 
>'5!SP0t&-rTKbX*r'<D^J|EA<. fooCD^filflgllfeifS 

mmmzm-^t^ :i t iztj: y , z(ovtmvfoo(ommt< 
[0 0 0 9] foooMs*<*i7Lfc&, ±fi&tm(o^m 

X' y b- A/K-r > ^ FPRXSX -v ^ /K-f >5f SPOfil^f 0 
oflJPf t/aj LM(7)4^J8(cMf o ^LT. foo(DMJ|8RAlc*& 



foollf^;tBL^fl)bar©^!la^ll^T•rSo 

[0 0 10] fooa)7.9'y<;>yiy-A(Dm^{t. MSfcfoo 

<7XT -V i>>'y^!c^O-^^JIz■^t^Tll 3 L'iA<b 

[0 0 1 1] *-f, SS(0fe-5::^P'y7AcD=i- K3 0 
(Attack Code) ^mMt^. '^iz. foo<Dmm^i».^m 
mmiU^ b 'J ^ - >7 K bXRA*-C** /^--r -5 J: 3 js:*: 
t$roX*5lJ3 2$ffljfe-*-S. C<DX*5IJ3 2 0)5*.. 

^^^it^&$flM«LV(cm-r-i)a5^Mca- K3 0 

^imsRAizstis-r^ssii^Mciizi- K3 ocor^i 

S&TK L'XAddr_X$S^^X^-efc<o ^JJIc, =i>t°i- 

[0 0 12] ±IS©J;9^fiK)S-CMIISfooA«ii¥U:aj$ti, 
St, foortas-eHSfestrcpyA^HfrStiSo t::?)r-. 

cs^ofiitsi^'f :?5';iim-efcSstrcpyi±a^, A* 
5IJ A<SfiirlEiilife*i>i«liiSLV©:*:# $ J: y L^A^^ 5 

*^^iillWlw«la■^-«J;alcliS|g$tlrl^^i:L^o 

Ts EISOJS^, S:^5IJ3 2li^Rff^ia<S$|llMliLVfl)'< 
-X7KUX (^U-A/H-rv^FPA^JI-fT KUX) ^ 

a^-cffi«RA*T'»tji*ti§o cau-c, ^fiif3Eiai& 

«ft^Ii|liLVlc=i-K3 0A<iliyii*;h-5<!:i:tlc, 'J^- 
>T KuxMitRA(z(i^-(Da- K3 OCDMi^T KUXAd 

t. :?P^7A©SWIibara)'J5i->T KuxicliM 
e>-f. =i-K3 0(DMi&7KL/X(c^So S 

«(D § □ y 7 A A<||fT $ *iT L * a © -e fc « „ 
[0 0 13] tfz. ±J5?feST'li, strcpy(Dj|ff dJ; y 

fI7U-A7Hi'>^PFP<Dfitt»#j^^b;h,Sfcy), bar 

'N0iJ^->B#IC7^-A/-K-l'>5(FP^iELl^7 KUX 
(bar0M7U-A7Hf ^•J'PFP) icMt" C t A^-^^^j: 

l^o S:^:5iJ3 2ro5*,Bfr7b-A7K-r>'5'PFP|c 

m t § Sii» ^ «)5t» $ tifc^ jE^ffii ^ » ^ fc 

< C 1 1= J: y :f □ ^7 AlcBS^f§^$#S ^ i: 

[0 0 14] X^-y-^XV-yv>yiASt*f-r-5*t^(i 
fife*J:y#ll#^b;*xTL>S„ ^Jx.(S, iffFjf12001-21616 

llffl$;t^Tl^§StackGuardi:P¥l^n•5tt^i^T'(i, 
^mi^S:t^tzlsblz±'-fm (guard value) 

T ^7 7. $ -5 cfc a 4- ^ ^ y ±CD<4SI:i Kffl ^ « # 

<!:aA^^Mls©y^I->^|lal^tIc:^s■rs. ^-lt, 

^XW>>:^if|icSA<fTt>*tfct.(7)i:2|!iJ»fL, x^-Sft 



li, strcpy. strcatlfOX^JiJ^f^MiSfe) $A*S:*51J 
$ Jb^ie^-ffrtJ+L § J: a icHg Lit L ^ -f 
3i^7y (libsafetnfli^t-S) ^,^ltt$^^Tl,^§ (Arash 

Baratloo, Timothy Tsai, and Navjot Singh, "Transp 
arent Run-Time Defense Against Stack Smashing Atta 
cks, " in Proceedings of the USENIX Annual Technica 
I Conference, June 2000. http://www.avayalabs.coin/ 
project/I ibsafe/doc/usenixOO/paper. html ) « 

[0 0 15] 

t° —Jt T'^eiZWWW+»— / N'^(7)-9--/ s* VX X A ^ ^ 
H L T -r > - h ± T' <2i Fwl # i. J: a I c ^j: o T ^ 
^ B , X ^ X V -y ■> > -^ijcl* ic cfc y 1 

c<z)j:a4-rp^iii3iSi9-Tjs$ti/=t(D-efey, ^-rogw 
ii-rstc?)!*, xaKy^xT'^i/v^fijcs^niji-rs 

[0 0 16] 

Kuxis$ftM«. my \y-At^-(:y5i^m$mRUMm 

§ -9- > X ^! ^ ^ ^ y ± (cffj jse f S :^ ;i (3 
t^-c, frt3^Rlf|glS^&Jiift$|iiiiro:^#$^, 

tziblzii.mtd::K^ * ck y t^lfiH■e^ >yAI=3i^t 
set i:-r-5o 
[0 0 17] 

[iiisa)itJi©fl^«i»t;f§wrosiimi x^t-v-j^xT-vi/ 

>yiA|IA<nIt|-Cfe'|.roii, X^ >y 7 

(cwli-efc^iiMl^) rov-x=!-K& 
i;a >/ W 7rott^lzS-^a^T#^Ic«1}T■tS c t A^-e 

#SA^b-e&§o CroCtlZ^gL, *^BJIC«§pi^ 

*SJWiffi«E^-(^-3f;u-5^>x^i •yj7±lcji«-r-5[c|^L, 

■eii4-< , :^SfilT|giS^1#!Wi-rS(D(cje:»^/d::*:t$ J: y 
:»c^l^®BaT■=7>•5^•A^CJ^^■^■ ::4^lcoL^TIll1 $ 
#8Bi.4-A<b)iiT[c*j*M[cijiBj-rs„ 

[0 0 18] m izv-x^-K-c^xLfcMSicfoo&i/b 
arlilll2{D4,(7)<!:|5li:-^fe-5,<, mmooCOf^XSth 

Lic#ax$<y->7u-Aa)j^ijE¥)ii^#x.-s„ *-r. 

ftlcia 2 ^#fiB LJ^jb^ blttB^ Lfc©.!: §| 

m^m^mpsmsi&m^Lxiziz^m^^mL. yat 

->r KUX*S«fl^lURA$SiffiLT-e::icbar'N<Dy^ 
->7K^X$ft$|«lL, ^^U-A/K-rv^t^Sl^lllSPF 
P^itiS Lr ^ (cbarOfr:? b-ATK-f :^^1ttt^J|8PF 
P(DTKbX$<S*(i)-rSo 

[0 0 19] ®0figife*S$i«!MiiSLV$?t«-r-5lig, 



*li§B^©*ar-(i. fooO)^RlflEiSbufferro*#$ (128 

X'TFLtzU^i^Hi^izmuiixtzmm (kit. ^smii 

[0 0 2 0] ±IHfl).fc9'a:^lS5tffiftf^l±. fr7L/-A 

[002 1] ^ffc\ ±fE0:^)i-e(i. SR)TlSii<SI(«iliit 

J:5I=. 7U-A7K'r>^'FP$|^^«a©fi±{47Kb 
li. 7^-A7K-r>^fFPa)filicji^smjgEaa):*:$$^ja 

[0 0 2 2] lil±(Dcfcaiz, ^;||0^ic«§p(^u^ii:^ 
l5li:-y-:?;u-5^>^ii?u:tiiLf=i: LTt, 



TKUX^SMroTKUX (SS0ifcS3fD^f7A=3- 
®46TlS<^f-S)o (IB0 0 2 3^|iJ|^) 

[0 0 2 3] i^%^m:^'^')%m-nmtt'Wm 

[0 0 2 4] ^j^ii. *^Bjroilgj^si,!:Lr. ±fB^ 
* y ©s;^>S J: c -c $ >X «y ^7 

So 

[0 0 2 5] *^B^(DSllCD||g}^^t LT, y$ 

->TKUX^S$ftffl«. ^if7U-A7H'r>:5'1&lftMllSa 

nmiW^m%m^^t^7.^ -y 7 u-A^ft^a 
ter j5)ti)-t*-^f;u-5^ i/x <y ^ ^IJt^ pt ^ y ±lz^^JS-r 
•5fc4^)<D^'^$:^-:^^i?x^7 h:^a'Jf5A(Z)i^qg|5icii(fcii 
tMzjgL, •ero^U'^^, ±iE^^ y§s*siCcfccTj< 
^ y ±lw+»- :f >x $t ^> ^; ffilgl$}^fiE-r S J: a ^c^^ 

j:5^c=i>/W7-cMti«$*tfc:^P'?'7A cr^i?!-? 
hr^n^f^AXliUfrnrfifeT^ay^A) A<^(f e,+i-i)o 
[0 0 2 6] ±ffia)fiict, *#gMii^a)S#so:i5H 



[HScofsm^tijiB^] 

[HI] *f§B^lcfclti,-9-:f;u-5^>x^i>y^0)itfi!c 

[02] ti£3lEa)-9-^;u-f^>x^i>y^;©1iJi!t«iJ. 
[US] xai-y^7XWi/>^r?!cSa)-«!|$^t«^ 



AddrJ: a-K3 0©P«r Kl/X 




rtyapy (buf f ar, catanv {"EMV.STR') ) 



PARAMS: 3lttttMffii« FP : 7 U-A*-*" 

HA :u*->r KbX«tt«J* SP: Xit^i^iKO* 
PFP:|»7 U-AjK-f V* ttMffiiR 



[mi] 



[112] 



void fooOI 
ohar buff8r[128]: 
strcpy {buffer, EstenvCENV.STR') ; 
return: 



void fooO { 
char buffsr[128]; 
rtropy (buffer. gBtenvrENV_STR") : 
roturn: 



void bBrO { 
fooO : 



foocfftfaiLfr 



-'<SPl 



128byte 
(buff or) i 



PARAHS: 

PFP:ir7L/-A»K-l' 



<1] 



foo<piiyt<mLH 



\ \ \ \ 



_<Tp1 ^♦^»7^-^ 
-<1P| 



128byte 



(buffer) 1 



PARAaS:9l»«tllfflii 
RA 



[JStUB] 3FJiEl4^4fl11B (2002. 4. 1 

1 ) 

[¥i^ffiiE2] 
[^]E^»«^«] nil 
[ltIE)t<fl^^g«] g|3 

[113] 



RA r/Ajj7 • — 

PFP ~ . 1 

LV Ti. ►..!, ! ^ ' 



^ — buflercm^— ' 
•t»epy(buf fir. g»t«»rEIIV_STR')) 



PARANS:9liktti{|«ltt FP : 7I/-A«'f >^ 

RA :y^->7l<U'A«H*a« SP::Jl^y<'«-f>* 
PFP:M7U-A*'f>^ttlft«« 
LV :jearCli:ttMl«lt 



